Threat Intelligence and Cyber Threat Management (CTM) Protection Update for the 1st week of May 2018

New Detection Technique – Adobe Flash 0 day

CVE-2018-4944 allows for arbitrary remote code execution on machines running Adobe Flash 29.0.0.140 and earlier. An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux, and Chrome OS. This patch also addresses several security vulnerabilities in the Creative Cloud desktop applications.

We've added IDS signatures and the following correlation rule to detect this activity:

BKRansomware was discovered in the wild in mid-April. Unusually, files affected by BKRansomware are not really encrypted. Instead, the files are encoded with ROT23, which is a simple letter substitution cipher.

BKRansomware encrypts a small number of extensions, such as .txt, .cpp, .docx, .doc, .pdf, .jpg, .png, .py, or .sql. Encrypted files are renamed .hainhc after encryption.

The ransomware message shows up in a command console window, and it is quite brief. It asks for just 50 viettel in order to restore the encrypted data. A viettel is a form of credit for mobile phones, used in Vietnam and neighboring countries.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Ransomware infection, BKransomware

New Detection Techniques - Trojan Infection

We've added the following correlation rules as a result of additional recent malicious activity:

System Compromise, Trojan infection, MSIL/Agent.SLZ

System Compromise, Trojan infection, MSIL/Vega Stealer

System Compromise, Trojan infection, RedCap Downloader

System Compromise, Trojan infection, W32/Agent.TAQ

System Compromise, Trojan infection, W32/StrawberryKR.Screenlocker

System Compromise, Trojan infection, Win32.Wakme

System Compromise, Trojan infection, Win32/c4tger

New Detection Techniques

We've added the following correlation rules as a result of additional recent malicious activity:

Emotet is a loader that has been observed in multiple campaigns globally. Though it was originally focused on credential data theft, it has also been used to deliver banking trojans.

Stolen credentials are stored in a temporary file, then encrypted and delivered to a command and control (C&C) server. Emotet utilizes the SMTP protocol to send out the emails.

Emotet is usually distributed via phishing or social engeneering campaigns, inserted into mail attachments, or downloaded from malicious links. Some Emotet samples have internal network propagation capabilities built in, mostly relying on credential brute-forcing. It can also insert itself into other running processes.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Malware infection, Emotet

Updated Detection Technique - Malware SSL Certificates

We've added new IDS signatures to include the list of certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including: